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INTRODUCTION 


Since 2000, the Network Advertising Initiative (NAI) has been the leading self- 
regulatory body for “third parties” in digital advertising. 


The NAI Code of Conduct (Code)' governs member engagement in Tailored 
Advertising? and Ad Delivery and Reporting (ADR)? in the United States. With 
regular updates to keep up with advancements in advertising technology, the 
Code covers: Retargeting‘; Interest-Based Advertising (IBA)> with information 
collected on websites; Cross-App Advertising (CAA)® with information from 
mobile applications; Viewed-Content Advertising (VCA)’ with information 
collected from connected televisions; and the use of offline data for digital 
advertising, known as Audience-Matched Advertising (AMA)®. 


Retargeting Interest-Based 
Advertising 


Cross-App Viewed-Content Audience-Matched 
Advertising Advertising Advertising 
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At the time of this Platforms 
publication, the NAI has 

89 member companies. 

NAI members are Exchanges 
traditionally intermediary 
companies, such as ad 
networks, exchanges, 


Connected TV 
Companies 


Data 


Intermediary Companies 


paton dao, E i comens 
isi Digital Advertisin elevisione 

connected television 8! g 

companies, that form Mobile 

the backbone of the Applications 


4 
digital advertising = 
ecosystem on websites, 
mobile applications, and 
connected televisions. This enables consumers to receive relevant ads related 
to their interests and facilitates advertisers reaching their target audiences. 
This relevant advertising continues to power free content and services in the 
digital ecosystem and is a crucial factor in the success of many small and 
medium enterprises that can flourish by finding the consumers who are most 
interested in their products.? 


Member companies work together with NAI staff to help craft stringent yet 
practical guidelines for data collection and use in connection with Tailored 
Advertising and ADR. The NAI’s annual compliance reviews also result in 
regular updates to the NAI Code and Guidance documents to keep pace with 
evolving technologies and digital advertising products that emerge each year. 
Ultimately, the goal of the NAI is to maintain consumer trust by protecting 
consumer privacy in an evolving digital media landscape. The NAI helps its 
members foster this trust through a comprehensive self-regulatory program 
that includes the Code and NAI Guidance, backed by a robust compliance 
program that focuses on spotting potential problems and issues in order to 
address and resolve them as expeditiously as possible. This process also serves 
an educational function for companies, which are incentivized to build lessons 
learned from compliance reviews into their advertising programs. 


During the 2021 compliance period, NAI staff reviewed eligible members’ 
compliance with the Code. This report provides a summary of the NAI’s public 
policy and advocacy work in 2021 as well as staff's findings from the 2021 
compliance review. This Annual Report is intended to provide consumers, 
regulators, and others with visibility into the NAI’s compliance program and self- 
regulatory process and to illustrate how the findings of the compliance program 
shape the evolution of the NAI’s policies and procedures. The first part of this 
report provides a review of the NAI’s stated goals for 2021 and the work NAI staff 
and members accomplished in those areas, as well as a public policy overview 
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of the legislative landscape and the NAI’s efforts to support a comprehensive 
federal privacy law. The second part of the report gives insight into the NAI’s 
membership application and compliance processes, as well as the NAI’s 
monitoring of consumer questions. The third part of the report details the Code 
requirements assessed by NAI staff in the 2021 annual compliance review, the 
procedures undertaken by NAI staff and members to evaluate compliance with 
those requirements, and high-level findings from the evaluations. 
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2021: THE YEAR IN REVIEW 


The NAI’s self-regulatory program regularly adapts to changes in digital 
advertising technology and considers the evolution of privacy expectations 
and norms domestically and globally. Each year the NAI sets forth its goals 
and intentions for the following year, and for 2021 the NAI planned to focus on: 
(1) cross-industry and cross-trade dialogues to help develop a new privacy 
framework and technical standards for digital advertising that are consistent 
with emerging state laws and changes in browsers and operating systems; 
(2) launching the NAI’s email-based Audience-Matched Advertising Opt-Out 
Mechanism; (3) commencing enforcement of additional notice requirements 
for the collection of Precise Location Information; and (4) further expansion of 
public policy efforts, advocacy, and outreach on a state and federal level. 


Cross-Industry 


Email-Based Audience- 
Matched Advertising 
Opt-Out Mechanism 


and Cross-Trade 
Dialogues 


Enforcement of 
Additional Notice 
Requirements for the 
Collection of Precise 
Location Information 


Expansion of State and 
Federal Policy, Advocacy, 
and Outreach Efforts 


In 2021, the NAI was involved in several cross-industry and cross-trade groups 
in the planning stages of a new self-regulatory framework to complement 
existing and emerging state laws, as well as the evolution of addressability. In 
the policy space, the NAI was a leader in the PRAM initiative which has now 
been folded into the Digital Advertising Alliance (DAA) where the NAI sits on the 
Board of Directors. The NAI is an active participant in technology-focused cross- 
industry efforts such as the IAB Tech Lab Privacy and Rearc Commit Group, TCF 
Steering Group, W3C, and Google Sandbox, keeping NAI members apprised of 
developments in these groups while speaking on behalf of the many small and 
medium sized companies that represent NAl membership. 
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To further bolster collaboration, the NAI opened participation in its own working 
groups to publishers, advertisers, law firms, and other stakeholders in the digital 
advertising ecosystem. 


The NAI launched its centralized, email address-based Opt-Out Mechanism 
for Audience-Matched Advertising on July 1, 2021, and successfully processed 
over eighty thousand email opt-out requests in 2021. In a culmination of more 
than a year of work by NAI staff and member companies, this new technology 
allows consumers to exercise choice with respect to Audience-Matched 
Advertising based on data associated with their email addresses. As the use 

of hashed email addresses is being explored in novel addressability tools and 
technologies, the NAI also announced that it expects its members will extend 
such an opt-out to all Tailored Advertising using hashed email addresses in the 
near future. 


The NAI began including the IN 2021, FIVE NEW MEMBER 


requirement for additional 

notice regarding the sharing COMPANIES WERE APPROVED BY 
and use of Precise Location THE NAI BOARD OF DIRECTORS 
Information in its 2021 NAI 

compliance review process and noted that momentum seemed to be building 
across the industry for providing this additional notice. NAl members must 
include requirements for additional notice in partner contracts, it is ultimately up 
to those partners to provide the required notice. Many NAl members reported 
less pushback from publishers and other partners with respect to contractual 
provisions calling for such notice. 


The NAI Code includes principles related to transparency, choice, data 
minimization, purpose and use restriction, data security, and others. Although 
many of the NAI’s resources go to ensuring that the advertising ecosystem 
operates in a transparent manner, and that choices provided to consumers 
work as expected, transparency and choice alone are by no means sufficient to 
protect consumers, and the NAI is actively working to introduce new guidance 
and requirements regarding data minimization as well as use restrictions for 
various data types. 


Five new members joined the NAI in 2021, which ranges from startups, 

small to medium-sized actors, to some of the most important companies in 
third-party digital advertising ecosystem. This demonstrates interest in NAI 
membership persisted even after the public health crisis introduced significant 
economic uncertainty and cost-cutting. The NAI is also working more closely 
with advertisers and publishers as they embrace a larger role in the digital 
advertising ecosystem, leveraging their own data to help deliver better 
advertising in privacy-promoting ways. Effective self-regulation of advertising 
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technology continues to be a vital component in building trust not only between 
participating NAI members and consumers, but also between member 
companies and service providers, publishers, and advertisers. 


Public Policy 


Throughout the rapidly evolving public policy landscape, the NAI’s efforts in 2021 
were focused in three major areas: (1) promoting a uniform national consumer 
privacy law to provide consistent protections for consumers and to streamline 
compliance for companies; (2) engaging with state policymakers to steer the 
development of independent state laws; and (3) helping shape the CCPA and 
CPRA implementing regulations, while working with member companies and 
other stakeholders to guide the industry's implementation of new policies and 
practices in response to the new state legal requirements. 


The common thread in all of the NAI’s public policy efforts remains the 
conviction that strong consumer privacy protections can and should exist 
hand-in-hand with robust digital content that is supported by innovative digital 
advertising solutions, and that self-regulatory programs like those of the NAI 
play a complementary role to new regulations as a means of supplementing 
and enhancing state and federal legislation. NAl’s strong privacy self-regulation 
programs provide a method for participating companies to demonstrate 

their compliance with robust requirements that often go above and beyond 
existing laws, helping good actors distinguish themselves, which in turn allows 
regulators to focus more of their efforts on companies that do not prioritize 
data privacy. 


In 2021, over two-thirds of states considered broad consumer privacy legislation, 
many modeled significantly after the California Consumer Privacy Act (CCPA) 
and California Privacy Rights Act (CPRA), and others taking significantly 
different approaches. Among those states, two were able to reach consensus 
and enact new state-wide laws, both of which were modeled substantially 
after the CCPA and CPRA but diverged significantly in many areas. At the close 
of 2021, there were four states having adopted consumer privacy legislation 
establishing rights for citizens pertaining to their personal information. These 
disparate laws and their differing requirements, when they come into force 

in 2023, will create a patchwork of consumer protections and a more difficult 
legal and regulatory environment for companies. Additionally on the state legal 
front, 2021 was the first full year of state enforcement for California’s CCPA, 
which came into force midway through 2020. Attorney General Xavier Becerra 
finalized CCPA regulations in early 2021, and provided additional guidance for 
companies, laying the groundwork for enforcement throughout the rest of the 
year. 
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Federal policymakers also maintained a significant focus on consumer 

privacy in 2021, with continued deliberations in Congress, and a focus on the 
intersection of consumer privacy and civil rights by the Biden Administration. 
Unfortunately, consensus around a comprehensive national consumer privacy 
framework remained elusive. As a result of stalled legislative discussions and 
judicial proceedings limiting the Federal Trade Commission’s (FTC) ability 

to seek restitution for many privacy actions, many Democratic Members of 
Congress urged the FTC to engage in broad consumer privacy rulemaking, 
while also seeking to quickly advance legislation to increase the FTC’s resources 
and ability to issue civil penalties for first-time violations of Section 5 of the FTC 
Act. In December 2021, the FTC publicly announced its intent to begin a privacy 
rulemaking. 


Promotion of a National Consumer Privacy 
Framework and Strong, Consistent Federal 
Regualtions 


The NAI continued to serve as the leading voice of the advertising technology 
industry in 2021, promoting federal legislation to create a strong federal 
consumer privacy framework that would provide for combined federal and 
state enforcement. The NAI’s engagement in Washington in 2021 included 
participation in a set of stakeholder roundtable discussions on federal privacy 
legislation hosted by the House Energy and Commerce Committee and 
selection to speak at a stakeholder discussion held by the U.S. Department 

of Commerce National Telecommunications and Information Administration 
focused on privacy, equity, and civil rights. The NAI also engaged directly with 
leaders in Congress and the FTC to inform them about the NAI’s continually 
expanding self-regulatory efforts and policy objectives. The NAI continued as 
an executive committee member of Privacy for America,” a diverse industry 
coalition promoting a federal legislative model to clearly define and prohibit 
unreasonable data practices that make personal data vulnerable to breach or 
misuse, while preserving the benefits that come from responsible use of data. 
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Engagement on CCPA and CPRA 
Rulemaking and Implementation 


Final supplemental CCPA regulations were adopted in early 2021, and the 
preliminary rulemaking process for the CPRA began in the second half of 

the year. The NAI submitted detailed comments" to the Office of the Attorney 
General regarding the final proposed CCPA regulations, as well as the call 
request for preliminary comments prior to the start of the official CPRA 
rulemaking process. The NAI’s comments consistently maintain the goal of 
balancing enhanced consumer privacy protections with the need to maintain 
a competitive marketplace for digital advertising as a driver of the economy. 
To help NAI member companies operationalize new state legal and regulatory 
requirements established by the four major state laws, the NAI launched a new 
working group to help guide member discussion around potential industry 
approaches. The NAI also provided industry-specific analyses to enhance 
members’ understanding of how new requirements may affect the digital 
advertising ecosystem. Key areas of focus in 2021 were the development of a 
draft model privacy risk assessment for members to use as a starting point for 
assessing risks consistent with the state legal requirements, and streamlining 
the process for replying to data subject access requests. 


Engagement with State Legislators 
Considering Adoption of New Localized 
Consumer Privacy Laws 


The NAI remains concerned about the development of a patchwork approach 
of disparate state laws as the American approach to enhance consumer 
privacy for U.S. consumers. To that end, the NAI engaged heavily throughout 
2021 with legislators across approximately half of the U.S. states, submitting 
comments and legislative recommendations on dozens of proposals. The NAI’s 
engagement with policymakers remains pragmatic, seeking to inform state 
legislators about the implications of key legislative provisions on consumers, 
industry and the digital marketplace, ultimately seeking to maximize 
consistency and consensus around workable protections. 
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THE NAI COMPLIANCE 


PROGRAM 


A. Joining the NAI - Compliance Begins Before 
Membership 


Companies interested in NAl membership cannot simply join the NAI; they 
must commit to compliance with the Code and to oversight by the NAI of those 
compliance efforts. Compliance efforts begin even before a company becomes 
a member. At least two members of NAI staff with relevant and appropriate 
expertise evaluate each applicant's products and related privacy practices. 
These reviews focus on the applicant’s responses to an NAI application 
questionnaire, the company’s privacy disclosures, and information regarding 
the company’s data collection, use, retention, and sharing practices, to ensure 
those practices are consistent with the Code. Additionally, an NAI technologist 
tests the applicant’s Opt-Out Mechanisms.” NAI staff then conducts interviews 
with high-level employees at the company, asking further detailed questions, 
including those aimed at resolving potential discrepancies identified based 

on the application materials, or assessing business practices that may be 
inconsistent with the Code. 


An applicant that wishes to become a member must work with NAI staff to 
help bring its services and products into a position where it can comply with 
the Code prior to admission.” During this process NAI staff evaluates each 
applicant's practices and disclosures, highlighting those that need to be 
addressed before the company can become a member of the NAI. Though 
some companies attain membership within a few weeks, for others, the initial 
qualification assessment can be a months-long process, with the NAI providing 
guidance and suggestions about compliance along the way. As a result of the 
NAI application review process, many applicants make numerous revisions to 
their public privacy disclosures, partner contracts, and data collection and use 
practices. Typically, NAI staff provides technical guidance to help an applicant 
develop an Opt-Out Mechanism that is capable of meeting the Code’s 
requirements and NAI technical specification to ensure compatibility with the 
NAI opt-out page. At times, applicants have abandoned or revised entire lines 
of business that did not, or could not, meet the requirements of the Code. 
Once this pre-membership review is completed, NAI staff submits a 
recommendation for membership to the Membership Subcommittee of the 
NAI Board of Directors. The NAI Board of Directors is comprised of seasoned 
privacy attorneys and executives from up to fourteen leading member 
companies. The Membership Subcommittee of the Board reviews each 
application, often requesting additional information from an applicant, before 
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recommending acceptance of a new member to the full Board. Therefore, each 
potential member is reviewed first by NAI staff, second by the Membership 
Subcommittee, and finally by the full NAI Board. This review process helps 
establish that an applicant has administrative, operational, and technical 
capabilities that can comply with the requirements of the Code before the 
company is admitted to the NAI. 


In 2021, five companies" completed the application process and were 
approved for membership by the Board. 


At the closing of the 2021 NAI compliance review period the 


NAI Board consisted of: 


e Douglas Miller, Vice President and Global Privacy Leader, Verizon Media; 
Chairman, NAI Board of Directors 


e Alan Chapell, President, Chapell & Associates, on behalf of Eyeota; Vice- 
Chairman, NAI Board of Directors 


e Dana Edwards, SVP, Engine Group; Secretary, NAI Board of Directors 


e Ken Dreifach, Shareholder, ZwillGen, representing NextRoll; Treasurer, 
NAI Board of Directors 


e Fiona Campbell-Webster, Chief Privacy Officer, MediaMath 

e Ileana Falticeni, General Counsel, Quantcast 

e Ghita Harris-Newton, Director of Government Affairs and Public Policy, 
Google 

e Paul Harrison, CTO and Co-Founder, Simpli.fi 

e Duncan McCall, CEO and Co-Founder, PlacelQ 

e Matthew Pinder, VP, Head Global Privacy and Policy Attorney, Xandr 

° Tamera Reynolds, Associate General Counsel N.A., Senior Partner, Xaxis 
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B. Monitoring of Members 
1. Opt-Out Testing 


When integrating with the NAI opt-out page for the first time, each member 
company has its own configuration tested and verified by NAI staff in a sandbox 
environment, which prevents many issues before live deployment. Once a 
member's opt-out is listed on the NAI site, it is monitored through routine 
manual checks of the NAI’s opt-out page as well as the more in-depth reviews 
of each evaluated member company’s cookies, including their values and 
expiration dates, performed during compliance reviews. An NAI staff member 
routinely verifies that the NAI opt-out page continues to function as expected, 
and follows up with an analysis to help members fix potential problems. 
Although such problems were rare, the majority of cookie-based opt-out issues 
were the result of changing browser interaction with third-party cookies, which 
prevented opt-out cookies from being set for the intended duration. 


2. Investigating Consumer Communications 


The NAI website provides a 


centralized mechanism for IN 2021, THE NAI RECEIVED MORE 
consumers to ask questions and THAN 4,600 CONSUMER QUERIES 
raise concerns about member THROUGH ITS WEBSITE OR VIA EMAIL. 


compliance with the Code (§ III.C.1.). 


In 2021, the NAI received and reviewed 4,439 email queries through its website, 
and 167 contacts via telephone. NAI staff determined that, as in the past, a 
vast majority of the inquiries received did not pertain to issues within the scope 
of the NAI’s mission. For example, 191 communications were questions from 
users about 

junk email, 933 
were attempts 

to reach the 
publishers of 
specific websites, 
140 were emails 
looking to stop 
all advertising, 
and 43 were 
emails asking 

to remove 

a specific 
advertisement. In 
those instances, 
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the NAI provides an automated response informing users about the scope of 
the NAI program and the types of requests with which the NAI can assist. 

225 emails, or approximately five percent of consumer inquiries were related 
to the NAI Opt-Out Mechanism, the NAI Code, or NAl member companies. 
The majority of these inquiries were requests for assistance in troubleshooting 
technical issues with IBA opt-outs, particularly in cases where browser controls 
blocked third-party cookies, ISP/workplace Internet filters or anti-virus software 
prevented opt-out cookies from being set on the consumer's browser, or 
temporary connectivity issues such as latency and connection speed led 

to malfunctions. Questions or concerns about NAI member companies are 
reviewed by NAI staff and, when appropriate, resolved by the member 
company and NAI staff. 


All consumer communications received by the NAI in 2021 that could be resolved 
by the NAI as part of its compliance reviews were promptly resolved by NAI 
staff. There were no consumer allegations of member non-compliance with 
the Code that NAI staff determined to be material in nature. 


3. Investigating Other Allegations and Complaints 


In addition to the NAI’s own monitoring and research, NAI staff also 
scrutinizes a variety of other sources for potential instances of member 
non-compliance, including published articles, public allegations by privacy 
advocates, complaints to the NAI by third parties or other NAl members, and 
investigations by other self-regulatory bodies. 


C. 2021 Annual Review of Evaluated Member 
Companies 


As part of their membership 
IN 2021 THE NAI REVIEWED obligations, NAI members are 
86 MEMBER COMPANIES. required to annually undergo 


reviews of their compliance with 
the Code by NAI compliance staff. 


During the 2021 annual compliance review period, NAI staff reviewed the 86 
companies that were members from January 1 through December 31, 2021.5 
These members are referred to as “evaluated member companies” throughout 
this report. Those members that joined the NAI after January 1, 2021€ were 
already subject to an extensive review during the calendar year as part of 

the on-boarding process, and therefore were not part of the 2021 annual 
compliance review. Those members will be assessed again during the 2022 
annual review process.” 
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21 EVALUATED MEMBER COMPANIES 


o 33Across 

o AcuityAds 

o AddThis 

o AdForm 

o Adobe 

o AdRoll 

o AlikeAudience 

o Amobee 

o Apollo Program (Formerly Anomaly) 
o AppNexus 
Appreciate (formerly Triapodi) 
o Artsai 

o Audiencerate 

o AuDigent 

° Beeswax 

e BlueKai/Oracle 
o Branch 

o Catalina 

e Choozle 

o Choreograph 

e Clickagy 

o Clicksco 

o Criteo 

e Cross Pixel Media 
e Crossix 

o Cuebiq 

e Datonics 

o Engine Media 

o Entravision 

o Exelate 

o Eyeota 

o Factual 

o Flashtalking 

o Google 

o Gravy Analytics 
e GumGum 

o Hivestack 

o IHS Markit Digital 
o Index Exchange 
o inMarket Media 
o Innovid 

o Inuvo 

o Kargo 
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o Lotame 

o Media.net 

e MediaMath 
e Microsoft 

o MIQ 

o Magnite 

o MNTN 

o Nativo 

o Neustar 

o Numberly 

e Outbrain 

o OwnerIQ 

o Place Exchange 
oe PlacelQ 

o Pubmatic 

e Quantcast 

o Rakuten Advertising 
o Retargetly 

o RhythmOne 
° Salesforce 

e Sambal V 

° Semasio 

e ShareThis 

o Simpli.fi 

e Sonobi 

o Swoop 

° Taboola 

o TapAd 

° Throtle 

o Ti Health 

o The Trade Desk 
e TrueData 

o Ubimo 

o Undertone 

o VDX/Tribal Fusion 
e Viant 

e Vibrant 

o Weborama 
e Wunderkind 
° X-Mode 

o Xaxis 

° Yahoo 

o Yieldmo 
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1. Training 


In 2021, the NAI provided multiple training and educational sessions for its 
members. NAI compliance staff hosted an online meeting for new members, 
and new representatives at existing member companies, to help prepare them 
for the 2021 compliance review process and to highlight key provisions of the 
Code. In lieu of the traditional NAI Summit, which had been postponed again 
in 2021 due to continuing public health concerns, the NAI hosted smaller events 
for member companies in New York City and San Francisco, as well as a fireside 
chat with FTC Commissioner Noah Phillips, in Washington, D.C. The NAI also 
organized a series of webinars on timely topics, including a webinar on Global 
Privacy Controls, and a discussion about avoiding discriminatory outcomes in 
digital advertising, a key area of concern for the NAI. 


These events, together with the growth of the NAI’s widely attended and 
regularly scheduled Public Policy Working Group calls, further cement the NAI’s 
role as an important source for educational events featuring legal experts, 
regulators, journalists, privacy advocates, as well as other trade associations 
and self-regulatory bodies. NAI staff also typically visit member company 
offices to provide in-person education regarding Code requirements and 
ongoing developments in the industry, although that practice was curtailed in 
2021 on account of health concerns. 


2. Written Questionnaire and Supporting Documentation 


Evaluated member companies submitted written responses to the 2021 
compliance questionnaire, which was updated the previous year to include 

the new requirements of and references of the 2020 Code. The questionnaire 
required evaluated member companies to describe their business practices 
and policies in relation to the requirements of the Code and NAI Guidance 
documents. To further establish compliance, the questionnaire also requested 
that evaluated member companies provide supporting documentation such 
as sample contract language, links to specific disclosures, and lists of cookies 
or other identifiers. Building on information obtained from prior reviews, this 
questionnaire also covered contractual requirements imposed on business 
partners concerning notice and choice around Tailored Advertising activities;® 
other protections for data collected and used for Tailored Advertising purposes, 
such as data retention schedules; and processes for oversight and enforcement 
of contractual requirements. 


A minimum of two NAI staff members reviewed each evaluated member 
company’s questionnaire responses and related materials to assess compliance 
with the Code, together with representations about business practices available 
from the evaluated member company’s public and non-public materials. These 
materials generally included news articles, the member company’s website, 
privacy policies, terms of service, and sample advertising contracts. 
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3. Interviews 


Following the review of questionnaire submissions and other supporting 
materials, at least two members of NAI staff interviewed representatives from 
every evaluated member company. NAI staff explored the business practices of 
evaluated member companies, and wherever necessary clarified questionnaire 
responses that appeared to be incomplete, vague, unclear, or raised questions 
based on the NAI’s own review of a company’s business model. The NAI 
compliance team also queried member company representatives about 
additional issues, such as data flows, opt-out functionality, data retention 
policies and procedures, and technologies used for Tailored Advertising. 


Conducting interviews with all evaluated member companies provides the 
compliance team with additional in-depth insight into each company’s 
products, especially as new business models and technologies continue to 
emerge. This integrated view of the industry, resulting from direct engagement 
and regular contact with 89 companies, greatly increases NAI staff's 

ability to flag potential privacy issues for members and shapes NAI staff 
recommendations regarding future guidance and policies. The candor reflected 
in compliance questionnaire and interview responses is only possible due to the 
mutual trust between NAI members and the organization. 


These interviews also offer an opportunity for the compliance team to provide 
best practice suggestions for evaluated member companies. During these 

calls staff reminded evaluated member companies to perform frequent checks 
of their Opt-Out Mechanisms to ensure they function correctly. NAI staff also 
suggested steps evaluated member companies should take when working with 
third-party data providers to help ensure that data comes from responsible 
sources. The NAI often provided recommendations on clarifying language for 
privacy disclosures, based on NAI staff's collective experience reading hundreds 
of member and website publisher privacy policies. 


This was the second compliance review under the all new 2020 NAI Code 

of Conduct, which introduced a multitude of material changes in member 
requirements and obligations. NAI staff worked with all members to ensure 
they were in a good position to comply with all of the Code’s new and modified 
requirements, including those going into effect in 2021, such as the email- 
based consumer Opt-Out Mechanism for Audience Matched Advertising, 

and contractual requirements regarding Opt-In Consent for Precise Location 
Information. 
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4. Attestations 


After completion of the questionnaire and interview process, and as a final 

step in the annual compliance review, evaluated member companies were 
required to attest in writing to their ongoing compliance with the Code. 
Evaluated member companies were also required to attest to the veracity of the 
information provided during the review process. 
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2021 ANNUAL 


REVIEW FINDINGS 


The Code requires the NAI to publish the results of its annual compliance review, 
providing an opportunity for the NAI to summarize members’ compliance with 
the Code and NAI policies (Code § III.B.4.). The following section presents the 
findings of NAI staff with respect to the 2021 annual review. This section also 
more fully summarizes the obligations imposed by the Code but does not 
restate all principles and requirements set forth in the Code, and as such it 
should not be relied upon for that purpose. The full Code, including definitions 
of relevant terms, can be found through the links provided in this report. 


Education 


Key Requirements: 


e Members shall use reasonable efforts to individually educate users about 
Tailored Advertising and are required to collectively maintain the NAI website 
for this same purpose. 

(Code § II.A.) 


Review Method: 


° NAI staff reviewed evaluated member company websites to identify 
educational components in privacy policies and elsewhere on the sites. 


° NAI staff interviewed members to assess other educational and public service 
efforts. 


Findings: 
° All members met the requirement to collectively provide the NAI website, 


which serves as a centralized portal for explanations of Tailored Advertising 
and its associated practices to educate consumers. 


° NAI staff found that all evaluated member companies provided disclosures 
and other information regarding the technologies used for Tailored 
Advertising, as well as links to the NAI website, which contains extensive 
educational content. In addition, NAI staff found that multiple evaluated 
member companies provided separate consumer education content outside 
their privacy disclosures or opt-out pages. These pages were dedicated 
to explaining the evaluated member's Tailored Advertising activities and 
provided consumers with an easy-to-locate choice mechanism. 
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° Through their collective participation in the NAI, and maintenance of the NAI 
website to educate consumers about Tailored Advertising, as well as through 
their individual efforts to provide educational content for consumers, all NAI 
members met the education requirements of the Code. 


Transparency and Notice 


Key Requirements: 


° Each member is required to provide clear, meaningful, and prominent notice 
on its website that describes the member's data collection, transfer, retention, 
and use practices for Tailored Advertising and Ad Delivery and Reporting, 
including any PII, Sensitive Information, Viewed Content Information, Precise 
Location Information, Sensor Information, and Personal Directory Information, 
if applicable. Members must also provide links to or instructions for Opt-Out 
Mechanisms, including disclosures of any Cross-Device Linking and its effect 
on opt-outs, as well as attestations of NAl membership and compliance with 
the Code. 

(Code § II.B.1.) 


Members that use audience segments for Tailored Advertising that are based 
on health-related information or interests are required to disclose a full list of 
all such standard segments and a representative sample of custom segments. 
(Code § II.B.2.) 


Members that use audience segments for Tailored Advertising that are based 
on political information or interests are required to disclose a full list of all such 
standard segments and a representative sample of custom segments. 

(Code § II.B.3.) 


Members that have direct contracts with website, mobile app, or connected 
television publishers with which they engage in Tailored Advertising are 
required to take steps to contractually require those publishers to provide 
users with notice of third-party data collection and use for these purposes, the 
types of data collected, and a conspicuous link to or a description of how to 
access an Opt-Out Mechanism. 

(Code § |I.B.4-6.) 


Members are required to provide, or support the provision or implementation 
of, notice of Tailored Advertising data collection and use practices and the 
NAI-supported choices available to users, in or around advertisements that 
informed by such data. 

(Code § 1I.B.8.) 
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Review Method: 

° NAI staff assessed the privacy policies and other privacy-related disclosures 
of evaluated member companies based on the Tailored Advertising and 
Ad Delivery and Reporting practices described in each company’s annual 
interview, its corporate site, responses to the annual compliance review 
questionnaire, business model changes, and news articles. 


NAI staff verified whether evaluated member companies’ websites provided 
links to Opt-Out Mechanisms for the companies’ Tailored Advertising across 
websites and mobile applications, as well as on television screens, as 
applicable. 


NAI staff reviewed the websites of evaluated member companies to determine 
if they met the obligation to provide “prominent” notice. 


NAI staff reviewed representative contractual language provided by evaluated 
member companies to confirm that these contracts included appropriate 
requirements for website and mobile app publishers to provide users with 
“pass-on” notice of Tailored Advertising data collection and use. 


NAI staff questioned evaluated member companies to ensure that they 
provide or support the provision or implementation of notice in or around ads 
informed by Tailored Advertising. 


NAI staff questioned evaluated member companies to determine if those 
companies used segments based on health-related information, and then 
reviewed those companies’ websites to help ensure that such segments were 
disclosed. 


NAI staff questioned evaluated member companies to determine if those 
companies used segments based on political information, and then reviewed 
those companies’ websites to help ensure that such segments were disclosed. 


Findings: 

° NAI staff found that all evaluated member companies provided privacy 
policies that described their respective Tailored Advertising and ADR 
practices. Evaluated member companies continued to provide thorough 
disclosures regarding data collection and use in mobile apps as well as clear 
explanations of Cross-Device Linking practices, as applicable. In twenty-six 
cases, NAI staff offered suggestions to make privacy disclosures clearer and 
easier to understand. 


° NAI staff worked with member companies to provide feedback and 
suggestions when disclosures were not clear in given areas. Depending on 
their practices, evaluated member companies could each be responsible for 
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over thirty different disclosures, or over two thousand five hundred disclosures 
collectively. In one hundred and two instances where a required disclosure 
was missing or inadequate, NAI staff provided explanations and feedback on 
how to meet specific NAI requirements. 


NAI staff found that all evaluated member companies provided opt-out links 
for web-based Tailored Advertising, and/or instructions for opting out on 
mobile devices, in their privacy policies or consumer choice pages. 


NAI staff continued to observe improvements from prior years in evaluated 
member companies’ disclosures of data collection and use on televisions, as 
well as in the provision of instructions for opting out on television sets and on 
connected devices. 


NAI staff found that nearly all evaluated member companies provided 
easy-to-find links to their privacy disclosures in the footer or header of 

the homepage of their websites, and that nearly all evaluated member 
companies provided separate and distinct links, directly on the home pages of 
their sites, pointing to opt-out instructions for users. In three cases where such 
links were more difficult to find, it was typically the result of website redesigns, 
and other privacy-related links were often available. 


NAI staff found that most evaluated member companies complied with the 
requirement to provide disclosures of any standard health-related audience 
segments in a variety of formats. Some member companies provided 
disclosures of all standard audience segments, regardless of topic, while some 
instead provided preference managers or other tools that not only allowed 
users to view available segments but also enabled granular control for those 
consumers who wished (or did not wish) to receive targeted ads on specific 
topics. Many other companies provided these disclosures through links from 
the privacy or marketing sections of their sites. In some cases, NAI staff asked 
evaluated member companies to add or update health disclosures. 


° NAI staff found that nearly all evaluated member companies using political 
segments complied with Transparency and Notice 


Key Requirements: 


° Each member is required to provide clear, meaningful, and prominent notice 
on its website that describes the member's data collection, transfer, retention, 
and use practices for Tailored Advertising and Ad Delivery and Reporting, 
including any PII, Sensitive Information, Viewed Content Information, Precise 
Location Information, Sensor Information, and Personal Directory Information, 
if applicable. Members must also provide links to or instructions for Opt-Out 
Mechanisms, including disclosures of any Cross-Device Linking and its effect 
on opt-outs, as well as attestations of NAl membership and compliance with 
the Code. 

(Code § I1.B.1.) 
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° Members that use audience segments for Tailored Advertising that are based 
on health-related information or interests are required to disclose a full list of 


all such standard segments and a representative sample of custom segments. 
(Code § 11.B.2.) 


e Members that use audience segments for Tailored Advertising that are based 
on political information or interests are required to disclose a full list of all such 
standard segments and a representative sample of custom segments. 

(Code § 1I.B.3.) 


e Members that have direct contracts with website, mobile app, or connected 
television publishers with which they engage in Tailored Advertising are 
required to take steps to contractually require those publishers to provide 
users with notice of third-party data collection and use for these purposes, the 
types of data collected, and a conspicuous link to or a description of how to 
access an Opt-Out Mechanism. 

(Code § 1I.B.4-6.) 


° Members are required to provide, or support the provision or implementation 
of, notice of Tailored Advertising data collection and use practices and the 
NAl-supported choices available to users, in or around advertisements that 
informed by such data. 

(Code § II.B.8.) 


Review Method: 


° NAI staff assessed the privacy policies and other privacy-related disclosures 
of evaluated member companies based on the Tailored Advertising and 
Ad Delivery and Reporting practices described in each company’s annual 
interview, its corporate site, responses to the annual compliance review 
questionnaire, business model changes, and news articles. 


NAI staff verified whether evaluated member companies’ websites provided 
links to Opt-Out Mechanisms for the companies’ Tailored Advertising across 
websites and mobile applications, as well as on television screens, as 
applicable. 


NAI staff reviewed the websites of evaluated member companies to determine 
if they met the obligation to provide “prominent” notice. 


NAI staff reviewed representative contractual language provided by evaluated 
member companies to confirm that these contracts included appropriate 
requirements for website and mobile app publishers to provide users with 
“pass-on’ notice of Tailored Advertising data collection and use. 


NAI staff questioned evaluated member companies to ensure that they 
provide or support the provision or implementation of notice in or around ads 
informed by Tailored Advertising. 

° NAI staff questioned evaluated member companies to determine if those 
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companies used segments based on health-related information, and then 
reviewed those companies’ websites to help ensure that such segments were 
disclosed. 


° NAI staff questioned evaluated member companies to determine if those 
companies used segments based on political information, and then reviewed 
those companies’ websites to help ensure that such segments were disclosed. 


Findings: 

° NAI staff found that all evaluated member companies provided privacy 
policies that described their respective Tailored Advertising and ADR 
practices. Evaluated member companies continued to provide thorough 
disclosures regarding data collection and use in mobile apps as well as clear 
explanations of Cross-Device Linking practices, as applicable. In twenty-six 
cases, NAI staff offered suggestions to make privacy disclosures clearer and 
easier to understand. 


NAI staff worked with member companies to provide feedback and 
suggestions when disclosures were not clear in given areas. Depending on 
their practices, evaluated member companies could each be responsible for 
over thirty different disclosures, or over two thousand five hundred disclosures 
collectively. In one hundred and two instances where a required disclosure 
was missing or inadequate, NAI staff provided explanations and feedback on 
how to meet specific NAI requirements. 


NAI staff found that all evaluated member companies provided opt-out links 
for web-based Tailored Advertising, and/or instructions for opting out on 
mobile devices, in their privacy policies or consumer choice pages. 


NAI staff continued to observe improvements from prior years in evaluated 
member companies’ disclosures of data collection and use on televisions, as 
well as in the provision of instructions for opting out on television sets and on 
connected devices. 


NAI staff found that nearly all evaluated member companies provided 
easy-to-find links to their privacy disclosures in the footer or header of 

the homepage of their websites, and that nearly all evaluated member 
companies provided separate and distinct links, directly on the home pages of 
their sites, pointing to opt-out instructions for users. In three cases where such 
links were more difficult to find, it was typically the result of website redesigns, 
and other privacy-related links were often available. 


NAI staff found that most evaluated member companies complied with the 
requirement to provide disclosures of any standard health-related audience 
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segments in a variety of formats. Some member companies provided 
disclosures of all standard audience segments, regardless of topic, while some 
instead provided preference managers or other tools that not only allowed 
users to view available segments but also enabled granular control for those 
consumers who wished (or did not wish) to receive targeted ads on specific 
topics. Many other companies provided these disclosures through links from 
the privacy or marketing sections of their sites. In some cases, NAI staff asked 
evaluated member companies to add or update health disclosures. 


NAI staff found that nearly all evaluated member companies using political 
segments complied with the requirement to provide disclosures of any 
standard political segments in a variety of formats. One evaluated member 
company worked with NAI staff to add such disclosures. 


A review of evaluated member companies’ representative partner 

contracts indicates that these companies included appropriate contractual 
requirements regarding user notice and choice, when possible, while working 
directly with website and application publishers. In some cases, NAI staff 
asked evaluated member companies to add additional requirements to 
partner contracts. 


NAI staff found that many evaluated member companies conduct due 
diligence on websites and applications where they sought to conduct Tailored 
Advertising activities, when initiating a relationship with those partners. Some 
evaluated member companies trained their sales teams to evaluate notice 
when onboarding new partners, and some member companies did not 

do business with partners unwilling to include the requested notice. Many 
evaluated member companies also perform random follow-up checks of their 
partners. In rare instances NAI staff asked an evaluated member company to 
engage in additional due diligence when vetting partners. 


All evaluated member companies provided real-time notice and choice to 
consumers in and around the ads delivered to them by serving a form of 
enhanced notice, such as the YourAdChoices icon. Those evaluated member 
companies that offer technology platforms, and only facilitate the collection 
and use of data by their clients for Tailored Advertising, provided their clients 
with the ability to include this notice on their advertisements through their own 
platform settings. 
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User Control 


Key Requirements: 


° The level of choice that members must provide is commensurate with the 
sensitivity and intended use of the data. This includes: (a) provision of an 
Opt-Out Mechanism for the use of Device Identifying Information (DII) for 
Tailored Advertising (b); robust notice for the merger of PII with DII to be 
collected on a going forward basis for Tailored Advertising (c); obtaining a 
user’s Opt-In Consent for the merger of PII with previously collected DII for 
Tailored Advertising (d); obtaining a user’s Opt-In Consent for the use of 
Precise Location Information, Sensitive Information, Sensor Information, or 
Personal Directory Information for Tailored Advertising and Ad Delivery and 
Reporting; and (e); obtaining a user’s Opt-In Consent for the collection of all 
or substantially all Viewed Content Information from a television for Viewed 
Content Advertising. The Code commentary clarifies that when relying on 
platform controls for consent, such as when a user consents to location data 
sharing on their mobile device, NAl members must take steps to ensure the 
user is prominently notified about the sharing of the data and its use for 
advertising, before or during the consent process. 

(Code § II.C.1.) 


° An Opt-Out Mechanism for a member's web-based Tailored Advertising shall 
be made available on both the member’s website and on the NAI website. 
(Code § II.C.2.) 


e Members engaging in Audience-Matched Advertising must provide an Opt- 
Out Mechanism linked to the PII or hashed PII used for such matching. The 
enforcement of this provision began on July 1, 2021, following a delay to allow 
for additional time for technical development. 

(Code § II.C.3.) (New for 2021) 


° While a browser or device is opted out of Tailored Advertising by a member, 
that member shall cease data collection on the opted-out device for Tailored 
Advertising use on any other browser or device associated through Cross- 
Device Linking, and shall cease Tailored Advertising on the opted-out device 
using data collected on any other browser or device associated through 
Cross-Device Linking. 

(Code § II.C.4.) 


° The technologies that members use for Tailored Advertising purposes shall 
provide users with an appropriate degree of transparency and control. 
(Code § II.C.6.) 
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Review Method: 


° Throughout the year, NAI staff monitored evaluated member company 
Opt-Out Mechanisms present on the NAI website to help ensure that these 
mechanisms functioned correctly. 


° NAI staff performed in-depth manual reviews of evaluated member company 
Opt-Out Mechanisms present on the NAI website and the member company’s 
own website to help ensure that these mechanisms functioned correctly, 
including a review of the expiration dates of opt-out cookies, cookie values 
and names, and any discrepancies between functionality on the NAI website 
and the evaluated member companies’ websites. 


NAI staff reviewed the instructions provided by members for opting out 
of Cross-App Advertising, including through platform-provided choice 
mechanisms. 


NAI staff reviewed the instructions provided by members for opting out of 
Viewed-Content Advertising, including through platform-provided choice 
mechanisms. 


In those instances where evaluated member companies engaged in Cross- 
Device Linking, NAI staff confirmed with the member companies that opt-outs 
met NAI Code requirements and the effect of opt-outs on Cross-Device Linking 
was explained to users. 


NAI staff reviewed detailed questionnaires, required of all evaluated member 
companies, regarding the functionality of their Opt-Out Mechanisms, the 
technologies used for Tailored Advertising, and the purposes for any unique 
identifiers existing after an opt out. 


In those instances where an evaluated member company engaged in 
activities that required the provision of robust notice or obtaining a user’s Opt- 
In Consent, NAI staff reviewed such notice and consent mechanisms to help 
ensure their adequacy under the Code. 


In instances where evaluated member companies collected Precise Location 
Information, NAI staff reviewed the just-in-time notice procedures required to 
obtain consent for the collection of Precise Location Information. 


NAI staff worked with evaluated member companies engaged in Audience- 
Matched Advertising to ensure they understood the NAI’s requirements for 
user choice, and finalized the functionality and specifications of the NAI’s 
Audience-Matched Advertising Opt-Out Mechanism. For member companies 
reviewed after the compliance deadline of July 1, 2021, NAI staff worked to 
ensure member companies engaged in Audience-Matched Advertising were 
integrated with the Opt-Out Mechanism. 
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Findings: 


° All members engaged in web-based Tailored Advertising provided access to 
Opt-Out Mechanisms on both their own websites and the NAI industry opt- 
out tool. NAI testing indicated that these opt-outs functioned correctly. In the 
rare instances where NAI staff discovered glitches or malfunctioning links, 
these were addressed by affected member companies within a reasonable 
timeframe, typically in less than a week. In all such cases, NAI staff determined 
that the malfunction was unintentional, appeared in limited locations and/or 
for a limited time period, and did not affect a significant number of users. As 
detailed further in this report, in one instance an NAI investigation uncovered 
an extended opt-out failure by one evaluated member company, which has 
since been remedied. See discussion below in Investigations and Sanctions. 


NAI staff found that any cookies used by NAI members after an opt out 

were used only to maintain the user's opt-out status or for Ad Delivery and 
Reporting, as permitted by the Code. Staff also found that all opt-out cookies 
were set to expire at least five years in the future, and often many years 
beyond that. 


NAI staff confirmed with all evaluated member companies engaged in Cross- 
Device Linking that they provided opt-outs that met NAI requirements for 
disassociating the opted-out device from other devices for Tailored Advertising 
purposes, and that these member companies provided disclosures explaining 
the opt-out's effect on Cross-Device Linking. 


NAI staff found that all evaluated member companies engaged in Cross-App 
Advertising provided an easy-to-use consumer choice mechanism based on 
device platform controls. Staff found that the majority of evaluated member 
companies provided clear disclosures around such mechanisms, often 
pointing to the NAI’s own detailed instructions for users who wish to enable 
privacy controls on their mobile devices. In six instances where evaluated 
member companies’ disclosures could have provided additional clarity in 
this area, staff provided guidance on industry best practices, for example by 
including more detailed instructions on where in their device's settings users 
can find the relevant privacy controls, or links to more detailed or pictographic 
descriptions. 


NAI staff found that all evaluated member companies collecting all, or 
substantially all, Viewed Content Information for Viewed-Content Advertising, 
obtained Opt-In Consent from consumers. 


In 2019 the NAI issued a warning to members regarding inconsistency in 
disclosures about the Consumer Choice Mechanisms available on connected 
televisions and streaming devices, and NAI staff observed significant 
improvement in those member companies’ instructions for choice mechanisms 
on televisions and connected devices, often pointing to the NAI’s own 
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instructions for users who wish to enable privacy controls on their televisions 
and other devices. 


NAI staff observed a large increase in the availability of ad impressions on 
televisions and connected devices that do not leverage Viewed Content 
Information but may include other types of information such as IP address. 
The rapid adoption of these products led to many evaluated member 
companies entering the connected television space for the first time, and for 
member companies previously working in this space to develop new products. 
NAI staff found that among many evaluated member companies disclosures 
of these practices were inconsistent or incomplete, particularly with respect 

to the availability of Opt-Out Mechanisms. The NAI clarified for all member 
companies what their obligations are under the Code as new addressability 
methods are explored together with new content delivery technologies. The 
NAI informed all members that disclosures and consumer choice mechanisms 
in the connected television space will be a key focus during compliance 
reviews in 2022. 


NAI staff found that all evaluated member companies engaged in the 
collection and use of Precise Location Information for Tailored Advertising 
obtained Opt-In Consent through device platform consent mechanisms. NAI 
staff also found that all evaluated member companies were aware of the 
changes to the NAI Code regarding the need for just-in-time notice of third- 
party data collection and use for advertising when obtaining consent through 
platform controls, and were taking steps to help ensure that additional notice 
is provided at the time of consent. In thirteen cases, NAI staff worked with 
evaluated member companies to help bolster these efforts with partners 
through contractual language and other means. 


NAI staff found that very few evaluated member companies collected PII 

for Tailored Advertising or merged such data with DII collected for Tailored 
Advertising. Where members did engage in these practices, NAI staff 
confirmed that all those evaluated member companies provided robust notice 
and obtained Opt-In Consent. 


NAI staff found that no evaluated member companies engaged in the use of 
Sensitive Information for Tailored Advertising, and thus did not evaluate any 
Opt-In Consent mechanisms used for such data collection. 


NAI staff found that no NAI members engaged in the collection of Personal 
Directory Information for Tailored Advertising purposes, and thus did not 
evaluate any Opt-In Consent mechanisms used for such data collection. 

NAI staff found that no NAl members engaged in the collection of Sensor 
Information for Tailored Advertising purposes, and thus did not evaluate any 
Opt-In Consent mechanisms used for such data collection. 
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° NAI staff found that evaluated member companies reporting the use of Non- 
Cookie Technologies for web-based Tailored Advertising provided adequate 
disclosures around this topic and were integrated with the NAI’s Opt-Out 
Mechanism for the use of Non-Cookie Technologies. 


e NAI staff found that all evaluated member companies engaged in Audience- 
Matched Advertising and processing hashed email addresses were 
successfully integrated with the NAI’s email-based Audience-Matched 
Advertising Opt-Out Mechanism. 


Use Limitations 


Key Requirements: 


e Members shall obtain verifiable parental consent for the creation of Tailored 
Advertising segments specifically targeting children under sixteen years of 
age. 

(Code § II.D.1.) 


e Members shall not use, or allow the use of, data collected through Tailored 
Advertising or ADR for the purpose of determining or making any non- 
marketing eligibility decisions, including those regarding employment, credit, 
health care, insurance, tenancy, and education. 

(Code § II.D.2.) 


Review Method: 


° NAI staff reviewed detailed questionnaires, required of all evaluated member 
companies, and interviewed members, regarding Tailored Advertising 
segments specifically targeting children under sixteen years of age, ensuring 
to highlight that the NAI age threshold for children had increased from thirteen 
to sixteen years. 


° NAI staff reviewed detailed questionnaires, required of all evaluated member 
companies, and interviewed members regarding the use of data for eligibility 
decisions. 


Findings: 


° All evaluated member companies indicated awareness of the sensitivity of 
data related to children for Tailored Advertising, and all confirmed that they 
do not target children under sixteen. 


° All evaluated member companies indicated awareness of the sensitivity of the 
use of data for eligibility decisions, and all confirmed that they do not use, or 
allow the use of, data for such purposes. 
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Transfer Restrictions 


Key Requirements: 


e Members shall require any unaffiliated parties to which they provide PII for 
Tailored Advertising and ADR purposes, adhere to the provisions of the Code 
concerning PII. 

(Code § 1I.E.1.) 


e Members shall require all parties to which they provide DII collected through 
Tailored Advertising and ADR, not attempt to merge such DII with PII held 
by the receiving party or to otherwise re-identify the individual for Tailored 
Advertising purposes without obtaining the individual’s Opt-In Consent. 
(Code § II.E.2.) 


Review Method: 


° NAI staff reviewed detailed questionnaires required of all evaluated member 
companies, and interviewed members regarding the transfer restrictions in 
place when members share data with third parties. 


Findings: 


° All evaluated member companies indicated awareness of the restrictions that 
must be placed on data transferred to third parties, and all attested that they 
place such restrictions on data transfers either explicitly or implicitly. 


—e 


Data Access, Quality, Security, and Retention 


Key Requirements: 


° Members retaining PII for Tailored Advertising shall provide users with 
reasonable access to that PII and other information that is associated with the 
PII, retained by the member for Tailored Advertising purposes. 

(Code § II.F.1.) 


e Members shall conduct appropriate due diligence to help ensure they obtain 
data used for Tailored Advertising from responsible sources that provide users 
with appropriate levels of notice and choice. 

(Code § II.F.2.) 


e Members that collect, transfer, or store data for use in Tailored Advertising and 
ADR purposes shall provide reasonable security for that data. 
(Code § II.F.3.) 
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° Members shall retain DII and PII collected for use in Tailored Advertising 
and ADR only as long as necessary to fulfill a legitimate business need, or as 
required by law. 

(Code § II.F.4.) 


Review Method: 


° NAI staff reviewed detailed questionnaires, required of all evaluated member 
companies, and interviewed members, to determine which companies 
may collect Pll for Tailored Advertising purposes, and then reviewed those 
companies’ websites to confirm that these companies provided users with 
reasonable access to that PII and other information associated with the PII. 


° NAI staff reviewed detailed questionnaires, required of all evaluated member 
companies, and interviewed members to help confirm that all evaluated 
member companies understand the importance of choosing responsible 
sources of data, and that NAl members take this responsibility seriously. 


NAI staff reviewed detailed questionnaires, required of all evaluated member 
companies, to help confirm that all evaluated member companies provide 
reasonable security for data collected for Tailored Advertising and ADR 
purposes. 


NAI staff reviewed detailed questionnaires, required of all evaluated member 
companies, and interviewed members to help confirm that all evaluated 
member companies retain data only so long as a legitimate business need 
exists, and that each evaluated member company’s disclosures reflect 

such finite retention periods accurately. In the case of cookie-based data 
collection, NAI staff manually examined the expiration dates of evaluated 
member companies’ cookies and posed additional questions when those 
cookies’ lifespans exceeded the stated retention periods. NAI staff also used 
this opportunity to encourage members to reduce their data retention periods 
where possible. 


Findings: 


° NAI staff found that the vast majority of evaluated member companies did 
not engage in the collection or use of PII for Tailored Advertising purposes, but 
in those instances where it was applicable, evaluated member companies 
to make sure they provided the required consumer choice for such data and 
user access to this data through consumer-facing portals. 


e Most evaluated member companies reported conducting due diligence on 
data sources to help ensure their responsible practices, particularly when 
those partners were not members of the NAI and thus could not be counted 
on to have undergone the same compliance review. In those instances where 
evaluated member companies could improve their due diligence programs, 
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NAI staff explained the Code requirement and provided best practices for 
ensuring that data comes only from responsible sources. 


All evaluated member companies attested that they complied with the 
obligation to reasonably secure data. There were no publicly reported 
data breaches regarding Tailored Advertising data by evaluated member 
companies during the 2021 compliance review period. 


All evaluated member companies confirmed their data retention policies, and 
explained the legitimate business uses for their respective retention periods, 
which were typically also stated in the members’ privacy disclosures. In those 
instances where evaluated member companies utilized rolling retention 
periods that update each time a browser is encountered, NAI staff provided 
guidance to help clarify relevant disclosures. In several instances, NAI staff 
asked evaluated member companies to improve, clarify, or expand retention 
disclosures. 


Accountability 


Key Requirements: 


e Members should designate at least one individual with responsibility for the 
managing of the member’s compliance with the Code and to provide training 
to relevant individuals within the company. 

(Code § III.A.2.) 


e Members shall publicly and explicitly disclose their membership in the NAI and 
their adherence to the NAI Code. 
(Code § III.A.3.) 


e Members shall provide a mechanism through which users can submit 
questions or concerns about the company’s collection and use of data for 
Tailored Advertising and shall make reasonable efforts, in a timely manner, to 
respond to and resolve questions and concerns that implicate the company’s 
compliance with the Code. 

(Code § III.C.1.) 


Review Method: 


° NAI staff spoke with at least one individual at each evaluated member 
company to ensure that such an individual was designated by the company 
with responsibility for the managing of the member's compliance with the 
Code and providing training to relevant individuals within the company. 


° NAI staff reviewed each evaluated member company’s disclosures to ensure 
that every member company publicly and explicitly disclosed its membership 
in the NAI and its adherence to the Code. 
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° NAI staff verified that all evaluated member companies provided a 
mechanism through which users could submit questions or concerns by 
sending consumer queries to gauge the member's responsiveness and 
timeliness of such responses. 


Findings: 


° At least one individual at each evaluated member company, who filled out 
the annual compliance questionnaire and spoke with NAI staff during the 
company’s compliance interview, confirmed they were designated by the 
company with responsibility for the managing of the member's compliance 
with the Code and providing training to relevant individuals within the 
company. 


° Most evaluated member companies met the requirement to publicly disclose 
their membership in the NAI and compliance with the Code. In six instances 
evaluated member company disclosures were unclear about NAl membership 
and adherence to the NAI Code, for example referencing an older version of 
the Code or omitting a reference to such adherence. Those members worked 
with NAI staff to improve their disclosures. 


° NAI staff noted that 73% of members responded to pseudonymous consumer 
queries in a timely and informative manner after the first round, and 92% 

of members did so after a second attempt. In instances where member 
companies did not respond to the NAI’s consumer queries, typically due to junk 
mail filtering, the NAI worked with affected member companies to address 
internal procedures related to the consumer contact mechanism. 


Investigations and Sanctions 


Overview: 


A thorough initial qualification process, coupled with the annual compliance 
assessment process to flag and address issues quickly and the availability of 
strong sanctions’? should members fail to comply, combine to form the keystone 
of the NAI self-regulatory program. The NAI also firmly believes that identifying 
problems early and giving member companies an opportunity to resolve 
minor issues related to the Code allows members to be more candid during 
compliance reviews and enables them to address these potential issues before 
they can affect the broader population. This approach fosters an environment 
of mutual trust between the NAI and its members, and ultimately results in 
enhanced privacy protection for consumers as members become more open 
about potential shortcomings and more willing to participate in self-regulatory 
efforts. 


D PAGE 35 THENAI.ORG 


SESS OS 
DAA? 
AO F 4s 


Sa 
Sie isierere 


HO 
2 TA ALLL TPA 27 


That said, NAI staff investigates private and public allegations of 
noncompliance. In the event that NAI staff find, during any of the compliance 
processes, that a member company may have materially violated the Code, the 
matter may be referred to the Compliance Committee of the Board of Directors 
with a recommendation for sanctions. Should the Committee determine that a 
member has materially violated the Code, the full NAI Board of Directors may 
impose sanctions, including suspension or revocation of membership. The NAI 
may ultimately refer the matter to the FTC if a member company refuses to 
comply. The NAI may also publicly name a company in this compliance report, 
and or elsewhere as needed, when the NAI determines that the member 
materially violated the Code or engaged in willful noncompliance. 


Investigations: 


NAI staff conducted two investigations of potential material violations of the 
Code during the 2021 compliance review period. 


Investigation 1 


The first NAI investigation resulted from NAI staff testing the functionality of 
various Opt-Out Mechanisms provided by member companies on their own 
websites and on the NAI website. NAI staff found that an evaluated member 
company that engaged in web-based Tailored Advertising experienced 
problems in setting persistent, generic, opt-out cookies. These cookies were 
being set as session cookies, expiring when the browser is closed. This 
potentially affected the member's ability to comply with the Code’s requirement 
of an Opt-Out Mechanism for Tailored Advertising.”° 


Further investigation revealed that the issues were caused by a change to a 
major web browser and the way it handled cookies from external domains. This 
meant that the evaluated member company was attempting to set persistent 
and generic opt-out cookies that expired at least five years in the future, but 
that the browser was deleting the cookies or changing their status to expire at 
the end of the session. 


As the evaluated member company was undergoing restructuring and multiple 
staffing changes, the company was unable to remedy the situation for an 
extended period. This resulted in the company’s removal from the NAI Opt-Out 
Mechanism for a period of seven months. 


NAI staff determined that the problem was inadvertent, affected only users of 
specific versions of the browser in question, and appeared to equally affect the 
company’s Tailored Advertising technologies, preventing the company from 
setting persistent tracking cookies and limiting its impact until it was resolved. 
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Investigation 2 


The second NAI compliance investigation stemmed from an article in an online 
publication, alleging that an NAI member company engaged in methods of 
sharing Precise Location Information with third parties that permitted the re- 
identification of consumers. Such allegations brought into question multiple NAI 
Code provisions with respect to transfer restrictions, re-identification, and the 
merger of DII and PII. 


The NAI’s investigation indicated that the article contained a number of 
inaccuracies and was factually incorrect in the basic allegation that any 
user-level Precise Location Information was shared by the member company 
with third parties. The member company’s representatives attested that the 
company did not share or otherwise disclose any user-level Precise Location 
Information, and that when sharing aggregate information based on data from 
multiple devices, the company did not permit or facilitate the re-identification of 
individuals. These responses were consistent with NAI’s staff's understanding of 
the company’s products and industry practices. 


Based on these attestations, NAI staff determined that no violation of the Code 
took place, and that sanctions would not have been appropriate. 


Summary: 


The NAI’s approach to compliance helps give NAI staff the access to be able 

to spot potential Code violations, and for member companies to remedy those 
issues while reserving sanctions primarily for instances in which member 
companies are unwilling to make requested changes or fail to cooperate with 
NAI staff. This accountability and oversight are a foundation on which the digital 
advertising ecosystem can build for the future. 


Based on its historical approach to noncompliance, typically caused by 
misunderstandings, staffing changes at member companies, or technical 
glitches, NAI staff worked with members to identify and resolve issues before 
they could become material violations of the Code. 


Summary of Findings 


2021 brought change to the digital advertising industry, from the continuing 
disruptions to daily life and work caused by the global COVID-19 pandemic, 
to the shift in addressability methods precipitated by changes to browsers 
and mobile operating systems, and the development of new consumer choice 
mechanisms to address upcoming state legislative requirements. NAI staff 
were reassured to find that evaluated member companies continued their 
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strong record of compliance with the Code, in spite of the financial and staffing 
challenges many companies faced. 


Overall, NAI staff observed compliance from nearly all evaluated member 
companies, including the presence of new disclosures required as of 2020, the 
launch of the NAI Opt-Out Mechanism for Audience-Matched Advertising, and 
further proliferation of just-in-time notice for the collection of Precise Location 
Information. Evaluated member companies demonstrated that they remain 
vigorously committed to the NAI’s self-regulatory framework. Representatives 
from evaluated member companies welcomed feedback and best-practice 
suggestions from NAI staff, signaling their commitment to providing and 
building a top-notch privacy protection program in the midst of economic, 
regulatory, and technological uncertainty. 


THENAI.ORG 


CONCLUSION 


This report readily demonstrates the key role of the NAI’s Code and self- 
regulatory process in promoting consumer privacy in the digital advertising 
industry, particularly as the digital media ecosystem faces change through 
technology and legislation. Through the years, the NAI continues to update 

its Code and guidance to keep pace with technological developments and 
changing norms, culminating most recently in the publication of the 2020 

NAI Code of Conduct. That Code greatly expanded the scope of the NAI’s 
compliance program and provided many new privacy protections for users 

in the realm of device sensors, location data, sensitive data, and offline data 
use for digital advertising. As this year’s compliance review demonstrated, 
member companies are working hard to ensure compliance with existing and 
new requirements, but already new technologies, products, and addressability 
methods have been introduced which require analysis and self-regulatory 
guidance, and the NAI is deeply involved in these efforts. 


In 2021 the NAI evaluated 86 member companies, while separately reviewing 
five additional companies who were accepted as new members during the 
year. Through this review, NAI staff closely monitored the digital advertising 
ecosystem, staying current with the latest developments and challenges, which 
translated directly into review priorities for 2022. The feedback loop of drafting 
policies to preserve and enhance consumer privacy in the digital advertising 
ecosystem, while conducting annual reviews of the companies that compose 
a significant portion of this market, allows the NAI to not only identify the most 
pressing and timely issues and challenges, but also to address them in a swift 
and effective manner. 


Recognizing this seminal moment in which legislative, regulatory, and 
technological developments are reshaping the digital economy, the NAI has 
devoted its resources to provide the same thought leadership and industry 
consensus that it has become known for. To that end, the NAI has increased its 
public policy efforts, and is hosting numerous working groups to help develop 
new and enhanced self-regulatory standards. 


One of these challenges includes the rapidly developing ecosystem of digital 
advertising on connected televisions and over-the-top (CTV/OTT) streaming 
devices such as streaming sticks, gaming consoles, and smart speakers, where 
the NAI is evaluating how to bring consistency and clarity to disparate platforms 
and identifiers, and how members may in Tailored Advertising on these devices 
in a privacy-first manner. 


Another area of focus for the NAI is to provide improved consumer choice and 
transparency for shared addressability solutions, which have arisen in response 
to changes in browsers and operating systems. The NAI’s efforts would allow 
publishers and advertisers to pseudonymously distinguish the same consumers 
in a privacy-protective and transparent way, subject to consumer choice. 
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The NAI is participating in a number of industry initiatives with fellow trade 
associations and self-regulatory bodies with the goal of coalescing the digital 
advertising industry around technical standards and privacy-protective 
regulatory measures that meet or surpass emerging legal requirements, while 
allowing for Tailored Advertising to adapt to new addressability standards in 
web browsers, on mobile operating systems, and the multitude of connected 
television platforms. 


At a time when the existence of targeted marketing and digital advertising 
is being questioned and reconsidered globally, it is even more important 

for self-regulatory efforts to clearly demonstrate that a thoughtful, nimble, 
and flexible self-regulatory approach can provide robust consumer privacy 
protection by rapidly adapting to changes in digital advertising technology, 
and the Internet economy more broadly. Perhaps most importantly, the NAI’s 
approach aims to preserve free and equal consumer access to a bounty 

of diverse content online; to bolster the US economy by making it possible 
for small and medium enterprises to find customers for their products and 
services; and to help its own members, many of whom are small and medium 
enterprises themselves, to compete effectively in the marketplace. 


Preserve free and 
equal consumer 

access to diverse 
online content 


Bolster customer 
utilization of 
small and medium 
enterprises 


NAI 


PRIVACY. TRUST & ACCOUNTABILITY 


Compliance with 
robust consumer 
privacy protections 


Help NAI members 
compete effectively in 
the marketplace 
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ENDNOTES 


1 Unless noted otherwise, all references to the NAI Code refer to the 2020 NAI Code of Conduct, 
which can be found at: https:// network rtising-org/sites/default/files/nai 
pdf, 

2 The Code defines Tailored Advertising as “the use of previously collected data about an 
individual, browser, or device to tailor advertising across unaffiliated web domains or 
applications, or on devices, based on attributes, preferences, interests, or intent linked to or 
inferred about that user, browser, or device” (Code § |.Q.). 


3 The Code imposes requirements with respect to Ad Delivery & Reporting, (ADR). ADR is defined 
in the Code as “the collection or use of data about a browser or device for the purpose of 
delivering ads or providing advertising-related services, including, but not limited to: providing 
a specific advertisement based on a particular type of browser, device, or time of day; statistical 
reporting, traffic analysis, analytics, optimization of ad placement; ad performance, reach, and 
frequency metrics (e.g, frequency capping); security and fraud prevention; billing; and logging 
the number and type of ads served on a particular day to a particular website, application, or 
device” (Code § |.A.). 


4 Since 2015 the NAI has formally applied the Code’s IBA requirements to the practice of 
Retargeting, defined as “the practice of collecting data about a browser's or device's activity 
in one unaffiliated web domain or application, or the use of such data, for the purpose of 
customizing an advertisement based on that data in a different, unaffiliated web domain or 
application, or a separate covered device” (Code § I.M.). 


$ IBA is defined in the Code as “the collection of data across web domains owned or operated 
by different entities, or the use of such data, for the purpose of tailoring advertising based on 
preferences or interests known or inferred from the data collected” (Code § I.G.). 


€ The Code defines CAA as “the collection of data across applications owned or operated by 
different entities on a particular device, or the use of such data, for the purpose of tailoring 
advertising based on preferences or interests known or inferred from the data collected” (Code 
51C). 


7 The Code defines Viewed Content Advertising as “the collection of Viewed Content Information, 
or the use of such data for the purpose of tailoring advertising based on preferences or interests 
known or inferred from the data collected” (Code § I.R.). Viewed Content Information is “data 
about the video content viewed on a television” (Code § |.S.). 


® The Code defines Audience-Matched Advertising (AMA) as "the practice of using data linked, 
or previously linked, to Personally-Identified Information (Pll) for the purpose of tailoring 
advertising on one or more unaffiliated web domains or applications, or on devices, based on 
preferences or interests known or inferred from such data” (Code § I.B.) 


® Johnson, Garrett and Shriver, Scott and Du, Shaoyin, Consumer Privacy Choice in Online 
Advertising: Who Opts Out and at What Cost to Industry? (June 19, 2019). Simon Business School 
Working Paper No. FR 17-19, Available at htto://dx.doi.org/1 2 


1 More information on the Privacy for America Coalition can be found at: 
ri meri m. 


"Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act, 
Network Advertising Initiative (Nov. 9, 2021), httos://thenai.org/preliminary-comments-on- 
proposed-rulemaking-under-the-california-privacy-rights-act, 

® Opt-Out Mechanism is defined under the Code as “an easy-to-use mechanism by which users 


may exercise choice to disallow Tailored Advertising with respect to a particular identifier, 
browser, or device” (Code § |.1.). 


® The NAI urges applicants and member companies to consult with their own technology and 
legal experts when reviewing the privacy implications of products and business plans. 


4 The following five companies completed the new member application process and became 
NAI members in 2021: Arity, Emodo, Inmobi, PulsePoint, and UNTU. 
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1$ The following companies were NAI members on January 1, 2021 but were not among evaluated 
member companies in 2021: 
a. SafeGraph and Skyhook were no longer engaged in Tailored Advertising activities in 
the United States. These companies terminated their NAl memberships in 2021. 
b. Fysical ceased operations in 2021. 
c. Conversant, Parrable, Reveal Mobile, and Signal terminated their NAI memberships in 
2021. 


* See supra, note 14. 


” NAI staff makes an effort to review its newest member companies early during the subsequent 
annual review, in order to minimize the time between a member's initial membership 
application review and its first annual compliance review. 


18 If a member has an agreement with a partner to collect data on the partner's site or app 
for Tailored Advertising purposes, the member is obligated to require through its contractual 
provisions that the partner provide notice to the user and a link to an Opt-Out Mechanism 
(Code §§ II.B.4-5.). This requirement is discussed more fully below. 


1 More information about the NAI’s Sanctions and Enforcement Procedures can be found at: 


https://thenai.org/accountability/compliance/. 
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